The recommended method of handling user data is not with a
Cookie,
but with an
HttpSession:

safer than using cookies directly - data related to the user is placed in 'session scope'. Session scope
exists on the server, not in the browser, and is a much more secure way of handling sensitive data. In addition,
when implementing a session with cookies, the container will always generate cookie values
that are difficult to guess, making it difficult for hackers to steal someone else's session.

higher level of abstraction - each session is implemented using either
cookies or URL rewriting, but the details are hidden from the caller.

independence of browser settings - if the user's browser has cookies disabled, then
the session will be implemented using URL rewriting, as a backup, if desired.

If you decide to use a Cookiedirectly, then care should be exercised that: